Snort mailing list archives
RE: newbie snort user on windows xp needs help please
From: "Michael Steele" <michaels () silicondefense com>
Date: Wed, 26 Jun 2002 23:21:25 -0700
-Michael Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: June 26, 2002 11:21 PM To: 'Scott Weeks' Subject: RE: [Snort-users] newbie snort user on windows xp needs help please Scott, The way you are running Snort will not allow Snort to generate alerts to the screen. The rules are correct and you should be generating an enormous amount of traffic. Use your browser to generate the traffic. Make sure you have activated your custom rules in your Snort.conf. Also, when you add rules, be sure to restart snort. After you run snort and generate some traffic, stop snort and use a text editor to check your alert.ids file and see if there are alerts being entered. They will be time stamped. If you really want to get the feel of Snort and have a better understanding of how things work, you might want to do a manual install. All the programs you are using are available outside of the installer. There is a LOT of documentation out there for Snort and Windows, but not nearly as much as there are for *nix. Try doing a search on google for some key words or phrases. Also, I have never used that installer so some of the above may not apply. -Michael Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: Scott Weeks [mailto:surfer () mauislanwanman com] Sent: June 26, 2002 8:22 PM To: Michael Steele Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] newbie snort user on windows xp needs help please On Wed, 26 Jun 2002, Michael Steele wrote: : Scott, : : There are a multitude of new people visiting this list every day, or I : would hope. The information, no matter how trivial will help someone. It : will also help people to better understand Snort and what works and what : doesn't work and hopefully that knowledge will better the Snort : community. : : How I usually, and I'm sure most of the tech's that monitor this list : deal with posting is; not only to reply back to the list but to CC the : poster so he or she can get the required information the quickest : possible way. Hello list members, Here's the gist of my problem... I am finding documentation for windows lacking. I'm using XP Home Edition (unfortunately) and IDScenter 1.09 Beta 1.3. (Beta. Maybe that's my problem?) on my home computer, so I can get used to using SNORT in preparation for an interview I have coming up. Just to get some traffic generated I put in the following rules: log tcp any any <> any any (msg: "test";) alert tcp any any <> any any (msg: "test";) These are in the "IDS rules" part of the GUI interface. In the "Logs/Alerts" section I left the path unchanged: C:\Program Files\IDS_systems\Sourcefire\log\alert.ids In the "General Setup" window I click on "Create Script" and everything's OK. For the IP I use the "Select" button and check with the "Command Prompt" (DOS screen) using the ipconfig command, so I know it's the correct one. (My ISP uses DHCP) I also used the "Test Configuration" button for sanity's sake. All is good. When I click "Start Snort" a DOS window opens up and remains open. I'm assuming that the "alert" rule should cause things to show up in that window and the "log" rule should cause the same entries to show up in the "alert.ids" file and those should be able to be seen when clicking on the "View Alerts" button. However nothing shows up on the DOS screen nor does anything show up in the "View Alerts" window when I put the path to the file "C:\Program Files\IDS_systems\Sourcefire\log\alert.ids" in the "Search alert log" box. Thanks, scott ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- newbie snort user on windows xp needs help please Scott Weeks (Jun 25)
- <Possible follow-ups>
- RE: newbie snort user on windows xp needs help please Michael Steele (Jun 26)
- RE: newbie snort user on windows xp needs help please Scott Weeks (Jun 27)
- RE: newbie snort user on windows xp needs help please Michael Steele (Jun 26)
- RE: newbie snort user on windows xp needs help please Scott Weeks (Jun 28)